Highlights from the 2015 Data Breach Investigation Report

Highlights from the 2015 Data Breach Investigation Report

Our partner Fortinet was among dozens of cybersecurity companies contributing to the 2015 Data Breach Investigation Report, spearheaded by Verizon. The report is an analysis of data culled from almost 80,000 security incidents, including 2,122 confirmed breaches, in more than 60 countries. We've compiled some highlights pertaining to common problems that can be addressed, in part, with greater understanding and vigilance by users.

PHISHING (Phishing attacks use legitimate-looking emails to dupe receivers into sending personal information or clicking on links that can lead to a network breach.)

In previous years, we saw phishing messages come and go and reported that the overall effectiveness of phishing campaigns was between 10 and 20%. This year, we noted that some of these stats went higher, with 23% of recipients now opening phishing messages and 11% clicking on attachments.

Now, these messages are rarely sent in isolation-with some arriving faster than others. Many are sent as part of a slow and steady campaign.The numbers again show that a campaign of just 10 e-mails yields a greater than 90% chance that at least one person will become the criminal's prey.

So what do we do about this? Hire only robots? Bring back command-line mail? There is obviously no one-shot antidote for the problem at hand. The general areas of focus are three-fold:

Better e-mail filtering before messages arrive in user in-boxes

Developing and executing an engaging and thorough security awareness program

Improved detection and response capabilities

Taking measures to block, filter, and alert on phishing e-mails at the gateway is preferred, but no technological defense is perfect, which leads us straight to... people.

Lance Spitzner, Training Director for the SANS Securing The Human program, echoes Ellen's sentiments, noting that "one of the most effective ways you can minimize the phishing threat is through effective awareness and training. Not only can you reduce the number of people that fall victim to (potentially) less than 5%, you create a network of human sensors that are more effective at detecting phishing attacks than almost any technology."

PATCHES (Patches are updates to software that close vulnerabilities that were discovered - by the developers or by hackers - after the software was released.)

We found that 99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published. [CVE stands for common vulnerabilities and exposures. In this context it refers to the naming and listing of vulnerabilities as they are discovered. The list is maintained by the MITRE Corporation.]

Ten CVEs account for almost 97% of the exploits observed in 2014. While that's a pretty amazing statistic, don't be lulled into thinking you've found an easy way out of the vulnerability remediation rodeo. Prioritization will definitely help from a risk-cutting perspective, but beyond the top 10 are 7 million other exploited vulnerabilities that may need to be ridden down.

MALWARE (Malware is short of malicious software, which is any application intended to disrupt computer operation, gather information or gain access to a network.)

Looking at just the total number of malware events (around 170 million) across all organizations, we can perform some egregiously simple math to determine that five malware events occur every second.

Consistent with some other recent vendor reports, we found that 70 to 90% (depending on the source and organization) of malware samples are unique to a single organization.

We use "unique" here from a signature/hash perspective; when compared byte-to-byte with all other known malware, there's no exact match. That's not to say that what the malware does is also distinct. Criminals haven't been blind to the signature- and hash-matching techniques used by anti-virus (AV) products to detect malware. In response, they use many techniques that introduce simple modifications into the code so that the hash is unique, yet it exhibits the same desired behavior. The result is often millions of "different" samples of the "same" malicious program.

This is more than just the malware analyst form of omphaloskepsis (look it up). It has real-world consequences, which basically boil down to "AV is dead." Except it's not really. Various forms of AV, from gateway to host, are still alive and quarantining nasty stuff every day. "Signatures alone are dead" is a much more appropriate mantra that reinforces the need for smarter and adaptive approaches to combating today's highly varied malware.

The report goes on to describe and analyze the trends in each of these threats. We recommend reading the whole thing here.

"I would like to commend your team on the consistent outstanding service you have provided the Metropolitan Sewer District of Greater Cincinnati and Greater Cincinnati Water Works. Concord Technology Group has proven to be reliable, thorough and very responsive. In particularly, our staff has been impressed with your team's expertise and non-stop dedication to resolve problems during difficult and stressful situations. We continue to see great value in our business relationship with Concord Technology Group and are very satisfied customers. Thank you."